Posted
by
samzenpus
on Wednesday April 25, 2012 @05:12PM
from the professional-swatter dept.

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."

if people test security on Android and report it to Google, and someone will watch the Android codebase for bugs, security fixes will come to Linux for free. Since recently the Android and Linux re-merged again, this doesn't seem too far-fetched.

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android. This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android.

Why do you say that? Surely they would be happy to have a security hole in Android plugged, while gaining cred with the Linux community at the same time?

This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

That is exactly why they are offering this program in the first place.

'Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google's.

Among Mozilla's advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google's program may not make the Internet safer, Kettle observed, except by example. "Mozilla's certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla," he said.'

Jesse Ruderman is a Mozilla employee, and one of their senior security people. He has a major voice in how their bounty program is run, so of course he's going to argue that it's better. I'm a bit disturbed that the article would fail to disclose such an important piece of information.

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.Since you discovered the bug, it is likely that someone else will also discover the bug. Only if both choose A, both win, but if the other chooses B, you loose all your profits on the black market.The expectation value of A,A is BlackProfit, the expectation value of B,A is BountyProfit. Lets say players choose taking the bounty with probability p. If more than 2 parties are involved, the probability no player choosing the bounty is (1-p)^n. The expectation value of that choice is BlackProfit*(1-p)^n. As long as that is smaller than BountyProfit, you win.

For instance, lets say you can make a billion dollars(!) on the black market, and have very corrupt hackers, so only 1 in 100000 chooses the bounty. If you have 1 million players, you need to offer 45400 dollar.If you have a population of ethical hackers, say 1 in 100 chooses the bounty (it's easier and quicker), you only need 1000 players to offer a bounty below 45000 dollars.

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.

Kind of. But this "dilemma" presupposes a purely amoral participant. Most people aren't amoral (or sociopathic) to begin with, and once there's real money behind doing the right thing, I doubt most people would go the other way.

In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes... wait for it... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.